Provided by: thc-ipv6_3.8-1build1_amd64 bug


       The Hacker Choice's IPv6 Attack Toolkit (aka thc-ipv6)


       tool [options] ...

              This  manual  page  briefly  documents  each  of the attack-toolkit6 tools. Not all
              options are listed here, to see the full list of options of each tool please invoke
              them with -h.

              Note  that  on  Debian (if you read this on Debian) command names are prefixed with
              atk6- , so for example the tool alive6 should be invoked as atk6-alive6.  This is a
              Debian-only modification.

       address6 <mac-address/ipv4-address/ipv6-address> [ipv6-prefix]
              Converts a mac or ipv4 address to an ipv6 address (link local if no prefix is given
              as 2nd option) or, when given an ipv6 address, prints  the  mac  or  ipv4  address.
              Prints  all  possible  variations. Returns -1 on errors or the number of variations

       alive6 <interface> [unicast-or-multicast-address [remote-router]]
              Shows alive addresses in the segment. If you specify a remote router,  the  packets
              are sent with a routing header prefixed by fragmentation.

       covert_send6 <interface> <target> <file> [port]
              Sends the content of FILE covertly to the target.

       covert_send6d <interface> <file>
              Writes received covertly content to FILE.

       denial6 <interface> <destination> <test-case-number>
              Performs various denial of service attacks on a target.

       detect_sniffer6 <interface> [target-ip]
              Tests  if systems on the local LAN are sniffing. Works against Windows, Linux, OS/X
              and *BSD systems.

       dnssecwalk [-e46] <dns-server> <domain>
              Performs DNSSEC NSEC walking.

       dos_mld <interface>
              This tools prevents new ipv6 interfaces to come up, by sending answers to duplicate
              ip6 checks (DAD). This results in a DOS for new ipv6 devices.

       dos-new-ip6 <interface>
              This tools prevents new ipv6 interfaces to come up, by sending answers to duplicate
              ip6 checks (DAD). This results in a DOS for new ipv6 devices.

       detect-new-ip6 <interface> [scriptname]
              This tools detects new ipv6 addresses joining the local network.  If scriptname  is
              supplied, it is executed with the detected IPv6 address as option.

       dnsdict6 [-t THREADS] <domain> [dictionary-file]
              Enumerates  a  domain  for  DNS entries, it uses a dictionary file if supplied or a
              built-in list otherwise.

       dnsrevenum6 <dns-server> <ipv6-address>
              Performs a fast reverse DNS enumeration.

       dump_router6 <interface>
              Dumps all local routers and their information.

       dump_dhcp6 <interface>
              Dumps all DHCPv6 servers and their information

       exploit6 <interface> <destination> [test-case-number]
              Performs exploits of various CVE known IPv6 vulnerabilities on the destination.

       extract_hosts6 <file>
              Prints the host parts of ipv6 addresses in file.

       extract_networks6 <interface>
              Prints the networks found in file.

       fake_advertise6 <interface> <ip-address> [target-address [own-mac-address]]
              Advertise ipv6 address on the network (with own mac if not defined) sending  it  to
              the all-nodes multicast address if no target specified.

       fake_dhcps6 <interface> <network-address/prefix-length> <dns-server>
              Fake DHCPv6 server. Used to configure an address and set a DNS server.

       fake_dns6d <interface> <ipv6-address>
              Fake DNS server that serves the same IPv6 address to any lookup request.

       fake_dnsupdate6 <dns-server> <fqdn> <ipv6-address>
              Send false DNS update requests.

       fake_mipv6 <interface> <home-address> <home-agent-address> <care-of-address>
              If  the  mobile  IPv6  home-agent is mis-configured to accept MIPV6 updates without
              IPSEC, this will redirect all packets for home-address to care-of-address.

       fake_mld6 <interface> <multicast-address>  [[target-address]  [[ttl]  [[own-ip]  [own-mac-
              Advertise yourself in a multicast group of your choice.

       fake_mld26  [-l]  <interface>  <add|delete|query>  [multicast-address [target-address [ttl
       [own-ip [own-mac-address [destination-mac-address]]]]]]
              This uses the MLDv2 protocol. Only a subset of what the protocol is able to  do  is
              possible to implement via a command line.

       fake_mldrouter6   [-l]   <interface>  <advertise|solicitate|terminate>  [own-ip  [own-mac-
              Announce, delete or solicitate MLD router - yourself or others.

       fake_pim6 [-t ttl] [-s src6] [-d  dst6]  <interface>  {<hello>  [dr_priority]|{join|prune}
       <neighbor6> <multicast6> <target6>}
              The hello command takes optionally the DR priority (default: 0).

       fake_router6 <interface> <router-ip-link-local
              network-address/prefix-length>  <mtu>  [mac-address]  Announce yourself as a router
              and try to become the default router.  If a non-existing mac-address  is  supplied,
              this results in a DOS.

       fake_router26 <interface>
              Like fake_router6 with more options available.

       fake_solicitate6 <interface> <solicited-ip>
              Solicits  IPv6  address  on  the  network,  sending  it  to the all-nodes multicast

       firewall6 [-u] <interface> <destination> <port> [test-case-no]
              Performs various ACL bypass attempts to check  implementations.   Defaults  to  TCP
              ports,  option  -u switches to UDP.  For all test cases to work, ICMPv6 ping to the
              destination must be allowed.

       flood_advertise6 <interface>
              Flood the local network with neighbor advertisements.

       flood_dhcpc6 <interface> [domain-name]
              DHCP client flooder. Use to deplete the IP address pool a DHCP6 server is offering.
              Note: if the pool is very large, this is rather senseless.

       flood_mld6 <interface>
              Flood the local network with MLD reports.

       flood_mld26 <interface>
              Flood the local network with MLDv2 reports.

       flood_mldrouter6 <interface>
              Flood the local network with MLD router advertisements.

       flood_redir6 [-HFD] interface [target] [oldrouter [newrouter]]
              Flood a target with ICMPv6 redirects

       flood_router6 <interface>
              Flood the local network with router advertisements.

       flood_router26 <interface>
              Similar to flood_router6 but with more options available.

       flood_rs6 [-sS] interface [target]
              Flood a network with ICMPv6 router solicitation messages

       flood_solicitate6 <interface> [target-ip]
              Flood the network with neighbor solicitations.

       four2six [-FHD] [-s src6] interface ipv6-to-ipv4-gateway ipv4-src ipv4-dst [port]
              Send (spoofed) packets over a 4to6 tunnel (IPv4 packets over IPv6 networks)

       fragmentation6 <interface> <target-ip>
              Performs fragment firewall and implementation checks, including denial-of-service.

       fuzz_ip6  [-x]  [-t  number  |  -T  number]  [-p number] [-IFSDHRJ] [-1|-2|-3|-4|-5|-6|-7]
       <interface> <unicast-or-multicast-address> [address-in-data-pkt]
              Fuzzes an icmp6 packet.

       fuzz_dhcpc6 [-1|-2|-3|-4|-5|-6|-7|-8|-9|-A|-B|-C|-D|-m] [-f mac] [-l link] [-v  ipv6]  [-x
       xid] [-c client] [-o options] interface
              Fuzzes messages sent to a DHCPv6 client.

       fuzz_dhcps6  [-t  number  |  -T  number]  [-e  number  |  -T  number]  [-p  number]  [-md]
       [-1|-2|-3|-4|-5|-6|-7|-8] interface [domain-name]
              Fuzzes a DHCPv6 server on  specified  packet  types.   implementation6  <interface>
              <destination>  [test-case-number]  Performs some ipv6 implementation checks, can be
              used to test firewalls too.

       implementation6d <interface>
              Identifies test packets by the implementation6 tool, useful to check  what  packets
              passed a firewall.

       inject_alive6 [-ap] <interface>
              This  tool  answers  to  keep-alive requests on PPPoE and 6in4 tunnels; for PPPoE0t
              also sends keep-alive requests.  Note that  the  appropriate  environment  variable
              THC_IPV6_{PPPOE|6IN4}  must  be  set.   Option -a will actively send alive requests
              every 15 seconds.  Option -p will not send replies to alive requests.

       inverse_lookup6 <interface> <mac-address>
              Performs an inverse address query, to get the IPv6 addresses that are assigned to a
              MAC address. Note that only few systems support this yet.

       kill_router6 <interface> <target-ip>
              Announce  that target router is going down to delete it from the routing tables. If
              you supply a '*' as target-ip, this  tool  will  sniff  the  network  for  RAs  and
              immediately send the kill packet.

       ndpexhaust26 <interface> [-acpPTUrR] [-s sourceip6] <target-network>
              Flood  the target /64 network with ICMPv6 TooBig error messages.  This tool version
              is manyfold more effective than ndpexhaust6.  -a      add a hop-by-hop header  with
              router  alert.   -c       do not calculate the checksum to save time.  -p      send
              ICMPv6 Echo Requests.  -P      send ICMPv6 Echo Reply.  -T      send  ICMPv6  Time-
              to-live-exceeded.   -U       send ICMPv6 Unreachable (no route).  -r      randomize
              the source from your /64 prefix.  -R      randomize the source fully.  -s sourceip6
              use this as source ipv6 address.

       ndpexhaust6 <interface> <target-network>
              Randomly pings IPs in target network.

       node_query6 <interface> <target-ip>
              Sends an ICMPv6 node query request to the target and dumps the replies.

       parasite6 <interface> [fake-mac]
              This is an "ARP spoofer" for IPv6, redirecting all local traffic to your own system
              (or  nirvana  if  fake-mac  does  not  exist)  by  answering  falsely  to  Neighbor
              Solicitation requests, specifying FAKE-MAC results in a local DOS.

       passive_discovery6 <interface> [scriptname]
              Passively  sniffs  the  network  and  dump all client's IPv6 addresses detected. If
              scriptname is supplied, it is called with the detected IPv6 address  as  first  and
              the interface as second parameters.

       randicmp6 <interface> <target-ip>
              Sends all ICMPv6 type and code combinations to target.

       redir6 <interface> <src-ip> <target-ip> <original-router> <new-router> [new-router-mac]
              Implant  a  route  into src-ip, which redirects all traffic to target-ip to new-ip.
              You must know the router which would handle the route.  If the new-router-mac  does
              not exist, this results in a DOS.

       redirsniff6 <interface> <victim-ip> <destination-ip> <original-router> [<new-router> [new-
              Implant a route into victim-ip, which redirects all traffic  to  destination-ip  to
              new-router.  You  must  know  the router which would handle the route.  If the new-
              router and new-router-mac does not exist, this results in a DoS.

       rsmurf6 <interface> <victim-ip>
              Smurfs the local network of the victim. Note: this  depends  on  an  implementation
              error,  currently  only  verified  on  Linux  (fixed  in  current versions).  Evil:
              "ff02::1" as victim will DOS your local LAN completely.

       smurf6 <interface> <victim-ip> [multicast-network-address]
              Smurf the target with ICMPv6 echo replies. Target of echo request is the local all-
              nodes multicast address if not specified.

       sendpees6 <interface> <key_length> <prefix> <victim-ip>
              Send  SEND  neighbor solicitation messages and make target to verify a lota CGA and
              RSA signatures.

       sendpeesmp6 <interface> <key_length> <prefix> <victim-ip>
              Multithreaded version of sendpees6.

       trace6 [-d] <interface> targetaddress [port]
              A basic but very fast traceroute6 program.

       thcping6 <interface> <src6> <dst6> <srcmac> <dstmac> <data>
              Craft your special ICMPv6 echo request packet.

       thcsyn6 [-AcDrRS] [-p port] [-s source-ip6] <interface> <target> <port>
              Flood the target port with TCP-SYN packets. If  you  supply  "x"  as  port,  it  is

       toobig6 <interface> <target-ip> <existing-ip> <mtu>
              Implants the specified mtu on the target


       nmap(1), amap(1), dsniff(8).


       thc-ipv6 was written by van Hauser <> / THC

       The homepage for this toolkit is:

       This  manual page was written by Maykel Moya <> and Arturo Borrero Gonzalez
       <>, for the Debian project (but may be used by  others).  It's  based  on
       previous work by Michael Gebetsroither <>.